OAuth redirect URI mismatch

Summary
Gitlab Omnibus OAuth: Redirect URI in GET oauth/authorize correct, redirect URI in POST oauth/token using localhost

*Note
I’m only allowed to put two URLs here, so
GOOD_URL = https://mattermost.mydomain.com
WRONG_URL = https://127.0.0.1:8081

Steps to reproduce

This is on a long running docker omnibus instance, current versions are Gitlab 15.10 and Mattermost 7.8.1. Docker image is 15.10.0-ce.0

Expected behavior

The redirect URI in both the GET and POST requests should point to GOOD_URL

Observed behavior

The redirect URI in the GET request points to GOOD_URL.

The redirect URI in the POST request points to BAD_URL, which is the port exposed by docker.

Mattermost Log

2023-03-24_16:31:20.49820 {"timestamp":"2023-03-24 16:31:20.497 Z","level":"error","msg":"Bad response from token request.","caller":"web/context.go:117","path":"/signup/gitlab/complete","request_id":"4zfd1q59gtd3dmjzur85xuyjje","ip_addr":"127.0.0.1","user_id":"","method":"GET","err_where":"AuthorizeOAuthUser","http_code":500,"error":"AuthorizeOAuthUser: Bad response from token request., response_body={\"error\":\"invalid_grant\",\"error_description\":\"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.\"}, status_code=400, error=<nil>"}

Gitlab Logs

`{“method”:“GET”,“path”:“/oauth/authorize”,“format”:“html”,“controller”:“Oauth::AuthorizationsController”,“action”:“new”,“status”:200,“time”:“2023-03-24T16:27:41.165Z”,“params”:[{“key”:“response_type”,“value”:“code”},{“key”:“client_id”,“value”:“3052a8e17b20162944b0563fbc53917054fbfb575d69f974782cc36406c6f863”},{“key”:“redirect_uri”,“value”:“GOOD_URL/signup/gitlab/complete”},{“key”:“state”,“value”:“eyJhY3Rpb24iOiJzaWdudXAiLCJ0b2tlbiI6IjE3aGFvZWhkYjgzMXRpeDl0YTU1aW5lanFxOWtvY2FuYmZtOTR3d2FhcndlZXg5b2Rmem1lZDltYWFodHBwYmoifQ==”},{“key”:“scope”,“value”:“read_user”}],“redis_calls”:8,“redis_allowed_cross_slot_calls”:1,“redis_duration_s”:0.002315,“redis_read_bytes”:792,“redis_write_bytes”:1457,“redis_cache_calls”:3,“redis_cache_duration_s”:0.000827,“redis_cache_read_bytes”:609,“redis_cache_write_bytes”:248,“redis_sessions_calls”:4,“redis_sessions_allowed_cross_slot_calls”:1,“redis_sessions_duration_s”:0.001259,“redis_sessions_read_bytes”:183,“redis_sessions_write_bytes”:1156,“redis_shared_state_calls”:1,“redis_shared_state_duration_s”:0.000229,“redis_shared_state_write_bytes”:53,“db_count”:8,“db_write_count”:3,“db_cached_count”:1,“db_replica_count”:0,“db_primary_count”:8,“db_main_count”:8,“db_main_replica_count”:0,“db_replica_cached_count”:0,“db_primary_cached_count”:1,“db_main_cached_count”:1,“db_main_replica_cached_count”:0,“db_replica_wal_count”:0,“db_primary_wal_count”:0,“db_main_wal_count”:0,“db_main_replica_wal_count”:0,“db_replica_wal_cached_count”:0,“db_primary_wal_cached_count”:0,“db_main_wal_cached_count”:0,“db_main_replica_wal_cached_count”:0,“db_replica_duration_s”:0.0,“db_primary_duration_s”:0.081,“db_main_duration_s”:0.081,“db_main_replica_duration_s”:0.0,“cpu_s”:0.200091,“mem_objects”:140560,“mem_bytes”:22301511,“mem_mallocs”:86409,“mem_total_bytes”:27923911,“pid”:667,“worker_id”:“puma_1”,“rate_limiting_gates”:,“correlation_id”:“01GWA74ZXCJ6N8TQ7YDK5C4HER”,“db_duration_s”:0.08091,“view_duration_s”:0.01334,“duration_s”:0.14197}

{“method”:“POST”,“path”:“/oauth/token”,“format”:“json”,“controller”:“Oauth::TokensController”,“action”:“create”,“status”:400,“time”:“2023-03-24T16:27:41.385Z”,“params”:[{“key”:“client_id”,“value”:“3052a8e17b20162944b0563fbc53917054fbfb575d69f974782cc36406c6f863”},{“key”:“client_secret”,“value”:“[FILTERED]”},{“key”:“code”,“value”:“[FILTERED]”},{“key”:“grant_type”,“value”:“authorization_code”},{“key”:“redirect_uri”,“value”:“BAD_URL/signup/gitlab/complete”}],“db_count”:3,“db_write_count”:0,“db_cached_count”:0,“db_replica_count”:0,“db_primary_count”:3,“db_main_count”:3,“db_main_replica_count”:0,“db_replica_cached_count”:0,“db_primary_cached_count”:0,“db_main_cached_count”:0,“db_main_replica_cached_count”:0,“db_replica_wal_count”:0,“db_primary_wal_count”:0,“db_main_wal_count”:0,“db_main_replica_wal_count”:0,“db_replica_wal_cached_count”:0,“db_primary_wal_cached_count”:0,“db_main_wal_cached_count”:0,“db_main_replica_wal_cached_count”:0,“db_replica_duration_s”:0.0,“db_primary_duration_s”:0.007,“db_main_duration_s”:0.007,“db_main_replica_duration_s”:0.0,“cpu_s”:0.075647,“mem_objects”:26548,“mem_bytes”:7002735,“mem_mallocs”:21095,“mem_total_bytes”:8064655,“pid”:665,“worker_id”:“puma_0”,“rate_limiting_gates”:,“correlation_id”:“01GWA750BAXTTAR7WCN0B95NWT”,“db_duration_s”:0.00993,“view_duration_s”:0.00022,“duration_s”:0.06754}`

Hi @leithouse and welcome to the Mattermost forums!

This is just a long shot, but could it be that your SiteUrl still points to https://127.0.0.1:8081? If you have mmctl set up, please run mmctl --local config get ServiceSettings.SiteURL to verify the value (or change it accordingly).

Hi @agriesser,

Thanks for the response, I figured it out by tracing the path through the source code. The hostname there isn’t coming from the configured site, it’s pulled out of an HTTP request.

So I checked my reverse proxy settings and ensured I was keeping the hostname on the passthrough and that cleared up the issue.

Yes, hostname passthrough is important for that to work. Thanks for letting us know how you fixed it, I’ll mark this issue as resolved now.